Five Security Flaws in IPv6

Sun May 13 20:03:38 CEST 2007

[Got this one four times too. I'm assuming a mail filter problem on  
my end, please ignore.]

On 13-mei-2007, at 19:26, David Conrad wrote:

> Currently IANA has 46 /8s left in the free pool, so that's -9 from  
> the end of 2006.

That's not how it looks from where I'm sitting, grepping for " 07", I  
only see -7:

092/8   Mar 07   RIPE NCC                            (whois.ripe.net)
093/8   Mar 07   RIPE NCC                            (whois.ripe.net)
116/8   Jan 07   APNIC                               (whois.apnic.net)
117/8   Jan 07   APNIC                               (whois.apnic.net)
118/8   Jan 07   APNIC                               (whois.apnic.net)
119/8   Jan 07   APNIC                               (whois.apnic.net)
120/8   Jan 07   APNIC                               (whois.apnic.net)

And then +1:

004/8   Dec 92   Level 3 Communications, Inc.        (Updated - Apr 07)
008/8   Dec 92   Level 3 Communications, Inc.        (Updated - Apr 07)
046/8   Dec 92   IANA - Reserved                     (Updated - Apr 07)
055/8   Apr 95   DoD Network Information Center      (Updated - Feb 07)

See the end of the message for my code that parses the ipv4-address- 
space file, which counts 49 /8s as free, including 36, 46, 49 and 50.

> We're not yet at the midpoint of the year, so -18 for 2007 looks to  
> be pretty dead on.

The trouble with these stats as that they are so coarse. APNIC got 5 / 
8s in january, extrapolating that would mean we'd be out before the  
end of the year. That's why I prefer to look at the RIR->LIR figures  
instead. That gives us -65 million for this year or -82 million  
ignoring the BBN /8 that came back. This puts us on track for  
something like 200 million addresses given out this year. With 49 /8s  
= 822 million in the IANA pool I don't see how that works out to  
december 2009.

> And why would you assume a linear extrapolation (55/3 = 18 rem 1)  
> for the last 3 years of IPv4 free pool availability?

I wasn't assuming linearity, just working with the average.

The problem with this data is that you simply can't draw any line  
that fits the underlying data more than 4 times: there is no way to  
tell the trends from the exceptions. (Relatively) long time averages  
for the increase in addresses given out in a year are in the 5 - 25 %  
range. That's a big range, but the difference in projected end date  
for IPv4 (when we're flat out, including the RIR working stashes,  
which are currently 413 million addresses) is not that big: 2013 for  
the low end, 2011 for the high end.

My personal prediction: unless unprecedented changes happen, we'll be  
out of v4 somewhere in the second decade of the century, with 2012 or  
2013 being the most likely year for that to happen.

Iljitsch

     if ($firstbyte > 0 && $firstbyte < 224 && $firstbyte != 10 &&  
$firstbyte !=
127)
       {
         $result = mysql("muada", "select * from homerir where  
firstbyte = $first
byte");
         if ($row = mysql_fetch_array($result))
           if ($row[ianaline] != $line)
             printf("%3d (%s) has changed:\nold: %s\nnew: %s\n", $row 
[firstbyte],
$row[homerir], $row[ianaline], $line);
         mysql("muada", "delete from homerir where firstbyte =  
$firstbyte");
         if (strpos($line, "AfriNIC"))
           $homerir = "afrinic";
         else if (strpos($line, "APNIC"))
           $homerir = "apnic";
         else if (strpos($line, "ARIN"))
           $homerir = "arin";
         else if (strpos($line, "LACNIC"))
           $homerir = "lacnic";
         else if (strpos($line, "RIPE"))
           $homerir = "ripencc";
         else if (strpos($line, "Various"))
           $homerir = "various";
         else if (!(strpos($line, "IANA") || $firstbyte == 24) ||  
$firstbyte == 1
4)
           $homerir = "iana";
         else
           $homerir = "";
         $year = substr($line, 12, 2);
         if ($year > 80)
           $year = "19" . $year;
         else
           $year = "20" . $year;