Found: One Troll

Borepatch asked a question (2, really)  in comments to my last networking post that deserves a post of its own.

The Fed.Gov is making IPv6 a big deal. How long do you think until (a) large non-DoD migrations occur, or (b) we actually start to run out of IPv4 addresses?

That’s a good question, and the answer requires some understanding of the way internet addresses are numbered and assigned. I’ll go over a crash course on IP addressing and assignment here. Feel free to skip ahead if you know this, or just want the down low.

What do all these numbers mean?

IPv4 Addressing in a Nutshell

IPv4 addresses are 32-bit numbers that are commonly written in what’s known as the dotted-decimal format, which the address divided into four 8-bit numbers (called octets) separated by periods and converted to decimal format. Thus: the IPv4^[1]address 11000000101010000110010000000001 is commonly written as 192.168.100.1^[2].  A usable range of IP addresses is commonly noted with a subnet mask, netmask, or bitmask.

If you are on a Windows machine^[3] you can find your subnet mask by looking at the details of the appropriate network connection (Start, Control Panel, Network Connections). Most people who check will be looking at a subnet mask that looks like this: 255.255.255.0. It looks like an IPv4 address in dotted-decimal notation, but isn’t. It does still represent a 32-bit number, in this case 11111111111111111111111100000000. The subnet mask denotes a group of addresses. For two addresses to be in the same group, they must meet these criteria:

• For each bit that is set to “1″ in the subnet mask the same bit in the IPv4 address must match. In the case of the example, the first 24 bits must match.
• For each bit that is set to “0″ in the subnet mask, the same bit in the IPv4 address can be set to any value.
• Subnet masks always consist of  an uninterrupted string of 1s with the remaining bits 0, and will always be 32 bits long. In other words, a subnet mask will always look similar to the one above, and never like this: 11111111001111111111111100000000. If it does not follow this rule, it is called a wildcard mask, which does something completely different.

So for the example, if we have an IPv4 address of 192.168.100.1 and a subnet mask of 255.255.255.0, the entire group of addresses that this address belongs to (called a subnet or network) is 192.168.100.0 – 192.168.100.255 or 11000000101010000110010000000000 to 11000000101010000110010011111111 (interesting bits bolded). The address 192.168.101.1 would be outside of the group.

Subnet masks are also written in CIDR notation, which is an IPv4 address followed by the number of bits in the subnet mask that are set to “1″. The above address in CIDR notation is written as 192.168.100.1/24, because the first 24 bits in the subnet mask are 1s. Since we’re dealing with binary numbers, increasing the number of bits in the bitmask by 1 halves the number of addresses it represents, and reducingthe number by 1 doubles the number of addresses. So, since a /24 represents 256 addresses, a /23 represents 512 addresses, and so on. Shorter bitmasks represent larger blocks, and longer bitmasks match smaller blocks.

32 bits allows a grand total of 4294967296 (2³²) assignable addresses. In reality, far fewer of these are actually usable. I’ll go into why in the assignment section.

IPv6 Addressing

The IPv6 address space is 128 bits wide, 2⁹⁶ times the size of the IPv4 address space. To help you wrap your mind around how many addresses that is, that’s about 523 thousand trillion (523,000,000,000,000,000) addresses for every human brain cell on the planet^[4]. IPv6 address assignment is a bit more complex than IPv4, so I’m just going to hit the basics. This is an IPv6 address:

2001:0db8:0000:130F:0000:0000:087C:140B

It consists of 8 16-bit hexadecimal numbers separated by colons. It’s long as hell, so there are two rules for shortening it.

1. Any leading zeros in a segment can be dropped, i.e. :0001: can be written as just :1:
2. Once (and only once) per address, the longest string of contiguous zeroes can be reduced to a pair of colons ‘::’

So the address above can also be written as:

2001:db8:0:130F::87C:140B

Most IPv6-capable machines will automatically truncate addresses using these rules. IPv6 addresses also use a bitmask to denote the size of the address group (network). It is most commonly written in CIDR notation, but it’s important to remember that there are 128 possible bits in an IPv6 bitmask, so while a /32 bitmask (all ones) represents a single address in IPv4, in v6 (32/128 ones) it represents about 7.9×10²⁸ addresses.

How Addresses Get Assigned

Originally, when the internet was a young and wilder place, companies received IPv4 allocations directly from the Internet Assigned Numbers Authority, and a lot of organizations received large blocks of addresses. For example, Level 3 Communications owns the entire IPv4 address space with a 4 in the first octet. AT&T owns 12.0.0.0/8. MIT, IBM, Boeing, and other technology innovators also have similarly large allocations of 16 million or more IPv4 addresses. Then, as the internet grew, it became apparent that IANA couldn’t just go handing out millions of addresses to anyone that wanted them. Beginning in the early ’90s corporations began to form which would eventually hold the roles of “regional internet registries.” (RIRs)

In 1998 IANA became a part of ICANN as part of a US Government-sponsored initiative to improve internet address management, and in 1999 IANA began delegating IP address assignment to the RIRs. These RIRs (such as ARIN for North America and RIPE for Europe) are responsible for assigning addresses within their region and representing their customers to IANA to ensure fair address allocation worldwide. IANA currently allocates /8 blocks to RIRs, and the RIRs assign addresses in blocks of /12 or less to ISPs and end users. Current estimates indicate that IANA will have assigned all the IPv4 addresses to RIRs by mid-2011, and the RIRs will run out in December of 2012^[5]. Likely these numbers will be pushed back as larger ISPs like Comcast begin rolling out IPv6, but that’s for another post.

I can really only speak to the way ARIN allocates addresses, the other RIRs have different prodecures. ARIN will currently only allocate addresses directly to an organization if they can prove a need for at least a /22 address block, which is about 1000 usable addresses. If an organization needs less than 1000 addresses then they need to get their addresses “reassigned” to them from their ISP^[6]. Requesting an address assignment from ARIN involves a lot of paperwork and study in order to prove to the RIR that you have a need for so many public addresses. In the case of my organization, as an ISP we have to show ARIN that we have assigned at least 75% of the previous address space they allocated, and that at least 50% of it is in active use by customers in order to get new addresses from them.

On the v6 front, IANA is allocating /12 blocks to RIRs which are in turn assigning blocks of IPv6 addresses with a /32 bitmask to service providers (or more, if you can justify to your RIR having more than the entire IPv4 address space raised to the 3rd power). To be fair, IPv6 addresses are designed to be assigned in much larger blocks than v4 addresses^[7], but a /32 is still a metric fuckton of addresses. In order to get an IPv6 allocation from ARIN a company has to not only show that they have use for public address space, but also to show that they have developed a plan to roll out IPv6 within the next five years.

So that’s kind of an abridged (ha!) version of IPv4 and v6 addressing and allocation. Stay tuned for the real answers to Borepatch’s questions as soon as I get a bit more time.

Update @ 21:06 4/18 for math fail and to add a bit more info.

1. Most people also don’t add the “v4″ after “IP,” because v4 the only IP addressing format in common use. [↩]
2. for advanced students, this is an RFC1918 private address and is not internet routable [↩]
3. If you run *nix and need help with ifconfig, check your man pages. Or kill yourself. [↩]
4. Based on 6.5 billion humans with 100 billion brain cells per person [↩]
5. Maybe the Mayans are on to something. [↩]
6. Or one of their ISPs, but BGP and ASN assignment is out of the scope of this series [↩]
7. One of the major problems with the current system is that the internet routing tables are ginormous. During the IPv6 migration ISPs and other corporations are expected to deploy networks in overlarge aggregate blocks in order to reduce the size  of the tables [↩]

So I’m about to shut off my Ethernet connection in order to avoid distration while I read several books about the Internet. With paper and stuff. If only there were some way to get information about the Internet electronically. . .

Blogging resumes tomorrow.

Warning: this post is going to contain a lot of nonsense from my industry.

Arris is the H und K of the cable networking world. If you have cable internet, you’ve probably never heard of Arris, but it’s nearly certain that your service provider uses their products. If you have cable telephone, unless it’s FTTP, you likely have an Arris cable telephony box somewhere in your home or your home’s cable demarc. Their customer premise equipment isn’t so bad, but their head end/CO equipment is terrible.

Now, even though Arris makes cable modems for end users (and just last month shipped their 20 millionth phone-enabled modem), you, as a cable subscriber, can’t buy one. Arris doesn’t sell cable modems to end users, only to cable operators or MSOs. If you want to buy one in order to avoid leasinga modem from your cable company, tough shit. They won’t sell you one. Find another telephony cable modem.

Arris is notorious for poor quality control. Not a week goes by that we don’t have to RMA one of Arris’s interface cards or power supplies or some other damn thing. On the other hand, we have the same amount of Nortel equipment and roughly three times as much Cisco equipment in our network, and I can count on one hand the number of times we have to replace parts for that gear in one year. Most of our Cisco equipment runs its entire service life without needing any sort of repair. I can’t say that for a single one of nearly 100 installed Arris CMTSs.

In addition, Arris equipment costs at least twice as much per subscriber compared to any other vendor. When I first saw the cost of a Cisco UBR10k, I thought it was ridiculous. Then I realized that it supports comfortably three times as many subscribers as the largest Arris CMTS, which costs nearly as much. The UBR also performs actual IP and IPv6 routing and supports industry-standard features like Etherchanneling and QOS marking and scheduling. And when you compare prices for upgrading that equipment to support DOCSIS 3.0, the balance is even less favorable for Arris.

Arris’s software isn’t anything to be proud of either. Like pretty much everyone else in the industry, the interface is a shell for some sort of *NIX platform. Like everyone else, configuration is stored and entered in sort of modular nested sections. Unlike everyone else’s implementation, if you enter the configuration out of order, it wipes everything in that section and you get to start over. Change an IP address on an interface, and it helpfully wipes the rest of that interface’s configuration for you. Oops, I hope you didn’t want that. Make a change to the routing protocol? There’s a 50/50 chance you’ll have to reboot the active CPU once or twice to make your change take effect. You won’t know it needs to be rebooted until you start experiencing issues with the unit. The issues might not even be related to the change you made, but they will have begun when you changed the config and they’ll end when you reset the CPU. It’s a good thing you’ve got redundant processing engines!

Which brings us to the one good thing Arris has going. Their built-in high-availability is top-notch. Because it has to be, or else every time one of their linecards failed their customers would have an outage on their hands lasting as long as it took to get replacement parts. Arris would probably tell you that their hardware redundancy is so awesome that you can perform maintenance in the middle of the day without affecting customers. That claim would be true, which I know because I’ve had to perform emergency maintenance on their equipment in the middle of the day. More than once. In the same week.

Now you might wonder,”Eseell, if the equipment and the customer service suck so hard, why do you buy them?” Well, I don’t get to make those decisions. I just have to make it work as best I can.

Starting tonight (Sunday night) I get to spend all week working during the maintenance window to finish two of my aforementioned projects. For those of you who may not be familiar with the joys of maintenance windows, that basically means that instead of my usual 8am-5pm type hours, I’ll be working more in the neighborhood of 8pm-5am for the week. On the one hand the hours suck, but on the other hand there’s no management around and no traffic. It could also be worse, since last week I worked alternately days and nights, which is a really good way to drive yourself crazy. I don’t know how some people can deal with having a schedule like that varies so much all the time. Especially that whole 28-hour day thing. Blogging will occur at odd hours.

I passed the Cisco Multilayer Switching exam today, which means that I am only one exam away from the CCNP certification. It also puts me only one exam away from the CCDP, but that isn’t my focus right now. Since the only exam I haven’t passed yet is the network security exam, I’ve decided to go for the brand-new CCNA Security certification before I take the last test. It’s pretty basic material, but it will be a good review before I tackle the tougher ISCW exam and I basically get a free cert out of it. Plus, if I ever decide to go for my CCSP, the CCNA Security cert is now a pre-requisite for that professional-level series of exams.

So the game plan now is:

1. Study for CCNA Security exam and test sometime next week.
2. Study for the ISCW test and complete that exam by the end of the month, thus earning my CCNP.
3. Possibly take the other two CCNA specialty tests (Wireless and Voice) just for the heck of it. They should be very easy to pass.

Then I just have to decide whether I want to try to complete the CCIE written exam before August, which I think is very do-able at my current pace of studying, or to start studying for the RHCE certification. I could also go for one or more of the other Cisco professional certifications. As noted above, I’m only one exam away from the CCDP and I do already have a strong knowledge of Cisco’s enterprise design models.

Why is August my deadline? Well, in August I’m returning to college to complete my aerospace engineering degree after four years off in the data networking field. I may not be able to keep my current job when I return to school full-time, so I’m going after these certs in order to stand out in the job market, such as it is. All this studying is also getting me back into gear for the massive amount of studying that I’ll have to do when I begin school.

I passed the CCNP ONT (642-845) exam with flying colors today. I did much better than I expected to, so I guess I studied well. With that and the BSCI (advanced routing) exam under my belt there are only two more tests between me and certification. I intend to finish the multilayer switching and security exams by the end of April.

Class for the multilayer switching exam is proceeding as expected. In my regular job I deal with routing and layer three problems every day, but not at all with layer two. This class deals with the interaction between layer two and layer three and how that relationship affects network design and troubleshooting. Despite the fact that it deals with an aspect of networking that I have little exposure to, the lab material is extremely simple. Unfortunately, while the lab-focused course certainly gives me a working knowledge of the technology and how to deploy it, I’m really looking for a deeper understanding of the concepts behind the technology. The “whys” instead of the “hows”. It looks like the only place I’m going to get that is from self-study. Oh well, this class was never meant to be the be-all-end-all of my switching education.

So I’m only just starting this thing and blogging is unfortunately irregular. Last week was one fire after another at work and this week I’m taking a Cisco multilayer switching class and studying for the Cisco QOS exam.

Class is going well. As usually happens with these lab-based classes, the instructor lectures for an hour, then I write out my configuration and apply it in about 20 minutes while the rest of the class takes two or three hours to troubleshoot problems that they could have avoided if they had planned their implementation properly. I spend that time making my network pod hack-proof or otherwise completely overengineering solutions to problems that I don’t have.

Fortunately the instructor is a gun nut and a friggin genius when it comes to networking and network security, so when he’s not helping other pods we shoot the bull about guns and Cisco. Good times.

I’ll try to get something more substantial up on Thursday after I take the QOS exam.